So, you've got best of breed when it comes to network security and your building's security has a state-of-the-art access system. You've invested in the technology…however a social engineering attack could bypass all of these defenses within minutes!
For example, take the scenario where a fire safety inspector shows up at your office, shows their badge and asks for a walkthrough of your building - you're legally required to give them access to do their job. They ask a lot of questions, they take electrical readings at various wall outlets and they examine wiring under desks. The problem is, in this case they're really security consultants doing a social engineering 'security assessment' and grabbing access cards, installing keystroke loggers, and generally getting away with as much of your business' private information as possible. This could have as easily been a criminal…
Social engineers, or criminals who take advantage of human behavior to pull off a scam, aren't worried about a badge system. They will just walk right in and confidently ask someone to help them get inside. And those best of breed network systems? It won't mean much if your users are tricked into clicking on a malicious link or attachment they think came from a Facebook friend or colleague. These are some of the methods that criminals and security consultants use everyday with great success.
What is social engineering?
Social engineering is essentially the art of gaining access to buildings, systems or data by exploiting human psychology, rather than by breaking in or using technical hacking techniques. For example, instead of trying to find a software vulnerability, a social engineer might call an employee and pose as an IT support person, trying to trick the employee into divulging his password.
How is my company at risk?
Social engineering has proven to be a very successful way for a criminal to "get inside" your organization. In the example given above, once a social engineer has a trusted employee password, he can simply log in and snoop around for sensitive data. Another one might be to scam someone out of an access card or code in order to physically get inside a facility, whether to access data, steal assets, or even to harm people. If they have limited time within the building, they may connect a wireless access point and router to a meeting room network point or under someone’s desk. They can then leave the building and take as much time as they like, snooping on the data that is beginning transmitted to them outside in the car park.
Criminals will often take weeks and months getting to know a place before even coming in the door or making a phone call. Their preparation might include finding a company phone list or org chart and researching employees on social networking sites like LinkedIn or Facebook. In these days of social sharing, this makes it very easy to profile their targets.
Why do people fall for social engineering techniques?
People are fooled every day by these tactics because they haven't been adequately warned about social engineers. Human behaviour is always the weakest link in any security program. And who can blame them? Without the proper education, most people won't recognise a social engineer's tricks because they are often very sophisticated.
Social engineers use a number of psychological tactics on unsuspecting victims. Successful social engineers are confident and in control of the conversation. They simply act like they belong in a facility, even if they should not be, and their confidence and body posture puts others at ease.
They will not sneak around; they may proactively approach people and draw attention to themselves.
They may give you something. Even a small favour creates trust and a perception of indebtedness.
They may use humor. It's endearing and disarming.
Online, many social engineering scams are taking advantage of both human fear and curiosity. Emails or instant messages that ask "Have you seen this video of you?' are impossible to resist if you aren't aware it is simply a social engineer, looking to trap you into clicking on a bad link.
Successful phishing attacks often warn, "Your bank account has been breached! Click here to log in and verify your account…." Or, "You have not paid for the item you recently won on eBay. Please click here to pay." This ploy plays to a person's concerns about negative impact on their eBay score for example.
How can I educate my employees to prevent social engineering?
Awareness is the number one defensive measure. Employees should be aware that social engineering exists and also aware of the tactics most commonly used.
Fortunately, social engineering awareness lends itself to storytelling. And stories are much easier to understand and much more interesting than explanations of technical flaws. A story about someone posing as a fire safety inspector is an example of how to get the message across in an interesting way. Quizzes and attention-grabbing or humorous posters are also effective reminders about not assuming everyone is always who they say they are.
Social engineering tricks are always evolving, and awareness training has to be kept fresh and up to date. For example, as social networking sites grow and evolve, so do the scams social engineers try to use there.
It’s also important to remember that it isn't just the average employee who needs to be aware of social engineering. Evidence from a number of security assessments have shown that executives are often the easiest targets. They are soft targets for many reasons, including a lax security attitude and their tendency to use the latest technology.
Are there any tools to help make this process more effective?
There are a number of specialised vendors offering tools to help conduct security awareness training, but it’s important to recognise that tools can help measure and deliver this awareness training, but you will still need to build an effective content strategy for the overall program and ensure that this is kept up to date.